This detection rule identifies the execution of tools commonly used for covert network communication, specifically Htran and NATBypass. These tools are often utilized by threat actors to bypass network monitoring and conceal command and control (C2) traffic by establishing covert channels. The rule focuses on both the executable names associated with these tools (htran.exe, lcx.exe) and specific command-line flags that denote their use (-tran, -slave). Detection is triggered when either the image name or the command line contains these specific indicators, helping to highlight potentially malicious activity in the environment. Given the high-risk classification of such tools, the rule is critical for organizations to monitor and respond to potential security incidents involving hidden data exfiltration or C2 communications.